Comments on: QR Codes and NFC Chips: Preview-and-authorize should be default http://www.welivesecurity.com/2012/04/23/qr-codes-and-nfc-chips-preview-and-authorize-should-be-default/ News, Views, and Insight from the ESET Security Community Mon, 03 Feb 2014 08:49:00 +0000 hourly 1 http://wordpress.org/?v=3.7 By: Thomas Stevinson http://www.welivesecurity.com/2012/04/23/qr-codes-and-nfc-chips-preview-and-authorize-should-be-default/#comment-789 Fri, 06 Jul 2012 09:57:31 +0000 http://blog.eset.com/?p=12551#comment-789 In the UK it seems we haven't really picked up on QR codes as much as stateside, are they still a big thing over there? As a webmaster I have wanted to start doing QR code advertising but the majority of people over here dont know what they are, or if they do then they do not have the software to scan them. Maybe NFC will be a UK thing

]]>
By: Stephen Cobb http://www.welivesecurity.com/2012/04/23/qr-codes-and-nfc-chips-preview-and-authorize-should-be-default/#comment-788 Thu, 26 Apr 2012 22:43:03 +0000 http://blog.eset.com/?p=12551#comment-788 Here are several useful links that Roger has kindly provided:

Article on safe scanning of QR codes

Some very clever research on QR code scanning used to record information about you

There is a lot more interesting QR code info at http://2d-code.co.uk/

]]>
By: Stephen Cobb http://www.welivesecurity.com/2012/04/23/qr-codes-and-nfc-chips-preview-and-authorize-should-be-default/#comment-787 Thu, 26 Apr 2012 17:12:41 +0000 http://blog.eset.com/?p=12551#comment-787 Good points Roger, which we will cover in more detail in further posts. I agree that basic or "literal" preview is of limited practical security value but it is a principle to build on. Obviously a really good scanner would do a lot more to analyze the instructions in the QR or NFC object, and it would NOT disclose unformation in the manner you attribute to AT&T. If we can verify that AT&T is doing what you say then we will withdraw our praise and warn people that this is happening.

If there is a QR scanner out there which you think is on the right track, please let me know.

As for pirate QR code stickers, we have not talked about them in the past because the average consumer in America has not been exposed to QR codes to such an extent as we see now, when they suddenly seem to be "everywhere."

]]>
By: Roger http://www.welivesecurity.com/2012/04/23/qr-codes-and-nfc-chips-preview-and-authorize-should-be-default/#comment-786 Thu, 26 Apr 2012 12:10:14 +0000 http://blog.eset.com/?p=12551#comment-786  
"Preview-and-authorize" doesn't work as a security option because the observed URL can be redirected. Better security options are discussed here
 
You may not be aware that the scanner you recommend (AT&T Code Scanner) is one of those that sends details of every QR Code you scan to one of its servers (id2att.com). At the same time it sends details of your mobile device and anything else it can discern such as location, zipcode, age etc. Some of the other scanners that spy on you can be found here
 
"Pirate QR code stickers" have been used for years, the first recorded in the West was in 2009

]]>